Explore EPID Attestation to Enhance Enclave Security

Intel® SGX Attestation Service Utilizing Enhanced Privacy ID (EPID)

The Intel SGX attestation service is a public web service operated by Intel for client-based privacy focused usages on PCs or workstations. The primary responsibility of the Intel SGX attestation service is to verify attestation evidence submitted by relying parties. The Intel SGX attestation service utilizes Enhanced Privacy ID (EPID) provisioning, in which an Intel processor is given a unique signing key belonging to an EPID group. During attestation, the quote containing the processor’s provisioned EPID signature is validated, establishing that it was signed by a member of a valid EPID group. A commercial use license is required for any SGX application running in production mode accessing the Intel SGX attestation service.

Enroll in Intel SGX Attestation Service

Intel plans to end of life (EOL) the Intel SGX Attestation Service April 2, 2025. This would include all active API versions. Intel also plans to limit access to the IAS Development (DEV) environment after September 29, 2024. Please factor this into your engagement plans (reference this link for additional details and Intel-offered attestation alternatives).  

One of the key decisions when subscribing to the Intel SGX attestation service is the mode chosen for the EPID signature, Random Base Mode or Name Base Mode. To get more info on EPID signature modes as well as provisioning and attestation services, click here to download a white paper.

Linkable Quotes (Name Base Mode): A name is picked for the base to be used for a signature, making signatures linkable. Verifying two signatures enables you to tell whether they were generated from the same or different signers. Name Base Mode is preferred to protect against compromise.

Unlinkable Quotes (Random Base Mode): Every signature gets a different random base, making the signatures unlinkable. Verifying two signatures does not enable you to tell whether they were generated by the same or different signers.

The Intel® SGX Services and Intel® TDX Services Terms of Use govern your use of these services except where we expressly state that separate terms (and not these) apply. By using our services, you are agreeing to these terms. Make sure you read them carefully.

API Documentation

Attestation Report Root CA Certificate: DER PEM

Development Access

Subscribe now for immediate access to the development environment where non-production Intel SGX enabled applications can test attestation functionality in debug mode prior to releasing to production.

Production Access

Once a commercial use license has been executed and your application/solution has been added to the Launch Policy List (if applicable), you just need to Subscribe for production access. Once your subscription is activated you will be able to utilize the production version of the Intel SGX attestation service. For more information on these required steps, refer to our Commercial License Request page on Intel Developer Zone.

Note a completed commercial use license is required before a subscription to this product can be added. When subscribing to this product, it is highly recommended that the subscription account utilizes a public distribution list as the email address used when subscribing will be the single point of contact for any notifications, including updates, new features, availability, downtime, or subscription revocation.